How to make a tun interface with openVPN on LuCI

I have been trying to make a tun interface (to establish a vpn tunnel to my pbx server), However after creating an openVPN instance (on LuCI), i went to the “interface” page and clicked “add interface” but the resulting page does not contain an option for “tun” (under the device menu) although it has an option for “eth”
How do i make a tun interface?
My understanding is that TUN operates in layer3 and eth in layer2
so will an eth interface even work for an openVPN tunnel?
I discovered that after adding “dev-type tun” into my vpn profile, then when clicking “add interface”, the “tun0” option is listed in the device menu
Is that just a label for the interface? or would that tun interface actually be different (technically) from the interface that can be made when choosing the “device-eth” option?
Can anyone answer these 3 questions?

There is no need to create a TUN interface. OpenVPN creates and controls the tun interface. But that occurs only after negotiation and authentication with the other end of the link has completed. So you need to build complete working OpenVPN client and server configurations, and then you will have tun interfaces.

For a layer 3 (tun) VPN where you own both ends, WireGuard is much simpler to set up.

thanks for your response!

Please allow me to provide more detail about my system so you can advise if you still think WG is the best option for me

I have 2 office locations (One in FL and the other in Chile)
I have 2 pbx servers (one is the primary and the 2nd is a failover/backup)

both offices need VPN access to both pbx's

My original setup was that each location had an internet connection that plugged into the WAN port on mikrotik gateway. the computers and voip phones plugged into a LAN ports on the mikrotik.

Each pbx has a unique private ip and the gateway allowed the phones access to both pbx's.

Everything worked perfect until one day the CA cert expired and then we lost access to both pbx's.

After it was determined that the expired CA cert was the cause of the problem, a new hire tried to generate new certs and copy them to the mikrotiks, but this effort failed to reestablish access to the pbx’s. He told me that the mikrotiks needed firmware upgrades so that a newer version of openVPN could be installed. An upgrade attempt was done to the mikrotik (in chile) which broke something. It continued to route as before (without the VPN) but the LuCI gui began displaying internal error msg.
In that state there was nothing more i could to with it

So bought a turris omni router and am now trying to duplicate the way the mikrotik was set up

I must admit that i am confused. It seems that the mikrotik only had one TUN interface, yet we had access to both PBX`s (each with a unique private IP). I really do not understand how (what i think was 2 tunnels) worked with just one TUN interface.

Can you explain that to me?

based on these details, do you still think WG is the best option for me?

This is the link you want to make it all work.

OpenVPN client using LuCI

An OpenVPN server can accept connections from multiple clients. If the client to client option is set on the server, the clients are linked to each other in a relay fashion (all packets must go to the server first, then they are re-sent to the other client).

OpenVPN deprecates old versions because they don't have the latest encryption standards and are thus considered insecure. It is necessary that both ends of an OpenVPN link be a similar vintage version.

Mikrotik also has WireGuard built in and it is completely compatible with OpenWrt's implementation.

thanks so much mk24 and KSofen for your replies

1 Like

WireGuard is better and newer, but the setup is more complicated in OpenWrt and making sure your system's real time clock is accurate is critical with WireGuard. If your routers and computers have good CPU power, the OpenVPN setup I linked to is solid and reliable and well supported. WireGuard takes less CPU overhead and might be faster speed - but the speed you get at the client end is going to be limited by the upload speed on the server end.

i followed the directions for setting up openVPN (on my backup PBX server) from the link you posted
It worked perfect. But when i tried to set up a 2nd set of configurations (for a VPN to my primary PBX server) I lost my internet connection.
Deleting the 2nd set of configurations combined with “save and apply” and reboot did not restore my internet connection.
This exact same thing happened before when i was following a different but similar set of instructions. Fortunately this time i had a backup that i was able to restore and reestablish internet connection.

It begs the question is it even possible for openVPN to manage 2 tunnels (each with its own interface, openVPN instance and firewall zone) in order to accommodate my need for a VPN connection to each of my PBX's?

Perhaps a better strategy would be too use just one interface with one set of firewall rules BUT with 2 openVPN instances. Is that possible?

Where are the PBX servers located?
Has each office one PBX server?

each office has a gateway (a vpn client) (one in FL and the other in Chile)

neither office has a pbx server:
primary pbx server is in los angeles CA
back up pbx is in mexico city

Everything worked perfectly until the CA certs expired,
which prompted many failed attempts to renew and copy certs over to each vpn client, resulting in the bricking of the one in chile, prompting me to replace it with a new turris omnia (now running openWRT)

That may be beyond OpenWrt's capabilities. I know you can have several configurations and have one connected, disconnect, and connect to another. I've never had a reason to connect to two different OpenVPN connections at the same time or even comprehend why you'd want to do that.

If you just want two different configurations connecting to two different servers that's quite simple. I probably don't understand exactly what you are trying to accomplish, so I can't answer the question.

I use PiVPN as my VPN server. It works on a Raspberry Pi4 or any Debian x86 machine. It can do OpenVPN and WireGuard at the same time very reliably.

It is possible to run multiple tunnels, you need some form of PBR of course to take care of the routing,
I had (I am now using WireGuard) one OpenVPN server and two OpenVPN clients running at the same time.
The trick is to specify a tunnel number e.g dev tunX and add an interface with this tunnel number to take care of the PBR.

But I am still in the dark what the OP actually needs, a diagram about the network routing could be useful.
Does the OP needs to setup an OpenVPN client from both offices to an OpenVPN server which houses the PBX?

i have 2 pbx servers in 2 different locations. My voip phones have extensions to each pbx. The extension for pbx 1 point to the vpn for pbx1, the extensions for pbx2 point to the vpn for pbx2. That way if pbx1 goes down, i can still receive calls from pbx2.

This all used to work perfect with my old gateway, so i know it can be done, im just not sure how to configure it because I have lost contact with the IT guy who set it up. I have some screenshots from the original set up and i observed there was only 1 tun interface

Interesting, so each office has two OpenVPN connections to both PBX locations?

I think this can only be done with one tun interface if the office is the server side.
Then on each PBX location there need to be two OpenVPN clients, one for each office.

I assume you have access to the PBX locations to verify how that is setup, you also need to refresh the certificates there I assume.

If you have access then I would ditch OpenVPN and use WireGuard which is far easier to setup for these kind of setups

infrastucture diagram

the phones plug into the LAN port on each gateway (vpn client)
with some extensions pointing to 10.1.1.1 and others pointing to 10.11.1.1

Having seen my network diagram, does everyone here agree that I should bail on openVPN in favor of WG? Someone told me my servers can not be upgraded and it may not be possible to install WG. I have not verified if that is true

pbx.xtrafast.net version

[root@pbx ~]# cat /etc/os-release
NAME="Sangoma Linux"
VERSION="7 (Core)"
ID="sangoma"
ID_LIKE="centos rhel fedora"
VERSION_ID="7"
PRETTY_NAME="Sangoma Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:sangoma:sng:7::server:utf8"
HOME_URL="https://distro.sangoma.net/"
BUG_REPORT_URL="https://issues.sangoma.net/"

CENTOS_MANTISBT_PROJECT="Sangoma-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="sangoma"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

lagw.xtrafast.net version

[root@lagw ~]# cat /etc/os-release
NAME="Sangoma Linux"
VERSION="7 (Core)"
ID="sangoma"
ID_LIKE="centos rhel fedora"
VERSION_ID="7"
PRETTY_NAME="Sangoma Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:sangoma:sng:7::server:utf8"
HOME_URL="https://distro.sangoma.net/"
BUG_REPORT_URL="https://issues.sangoma.net/"

CENTOS_MANTISBT_PROJECT="Sangoma-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="sangoma"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Ok that clear things up.

I assume you do not need access to both pbx servers at the same time.

In that case you can setup a standard openvpn client in both offices with two remotes in the openvpn config.

The openvpn client in your office first tries the first remote and if that fails it tries the second.

The pbx servers have an OpenVPN server.

In that case I would just renew the certs and keys and you should be good.

You can use easy-rsa to make new keys/certs

you just mentioned something that may be the missing part in my attempts to set this all up . . . two remotes

so two remotes is an option in the vpn server profile (created on the vpn servers) which gets uploaded to the router through LuCI (on the openvpn page) and used as an openvpn instance

and then i only need one interface to handle both tunnels?